THE VIEW FROM INSIDE
It's the smart hackers we have to worry about
Walter R. Houser
Odd as this may sound, I really think we were lucky with the Melissa and ILOVEYOU viruses. Their payloads, admittedly damaging and inconvenient, were also totally unsubtle and therefore easy to notice and catch.
A professional attacker'that is, one economically motivated'would avoid such blatant dramatics in favor of more lucrative tactics. A serious hacker could become wealthy by being patient and staying difficult to detect.
Only an amateur would randomly vandalize files and brag about it later. A pro would be more selective and discreet, instead of indiscriminately trashing a lot of files.
The pro would install a terminate-and-stay-resident program to run in background and capture user log-ons. A fake reboot program could con users into entering names and passwords. Screen scraper applications could harvest government financial or statistical data prior to intended release.
The security of federal computers and networks is, of course, no idle concern. The Commerce, Labor and Agriculture departments, the Securities and Exchange Commission and other federal agencies all produce reports that influence the direction of national and international financial and commodity markets.
Crooked and technically savvy investors could make fortunes if they could anticipate the direction markets will move in response to crop reports or inflation statistics.
The insidious hacker wants to minimize risk and publicity to maximize financial gain. Instead of generating repetitive ILOVEYOU messages that are transparently false, the stealthy hacker would use other techniques. He or she would resend a select number of the victim's e-mail messages that had attachments. The attachments would be doctored with scripts or executables to launch the attack. Many recipients would open the second message and attachments, believing the attached file had been updated or sent in error. If the resent messages were few and sent only occasionally, few users would notice the attack in time.
Dancing babies, animated Christmas scenes and electronic French post cards can all carry hidden deadly payloads. While you are being entertained, the program can install software to purloin passwords and other goodies.
Other attacks would not require stolen passwords. With agencies posting statistical reports on their Web sites, a hacker could employ a man-in-the-middle attack to temporarily replace the site with a bogus substitute, a denial-of-service attack that takes the real Web site offline.
The domain name service would then be tricked into advertising the bogus site's address, directing market watchers to the fake site. The smart hacker wouldn't deface the home page with pictures of Hitler and the like, but leave it intact, only with the wrong information.
In minutes, the hacker and his confederates would take contrary market positions, liquidate them and stow the loot in numbered accounts.
The most effective antidote to many forms of attack is the deployment of a public-key infrastructure. All users should have a public-private key pair with which to sign and encrypt messages and documents. Tampered with and re-sent e-mail and documents would be identified as suspect. If you kept your private key private, the hacker could not change the message without conflicting with the encrypted hash code that guarantees the integrity of the document.
The recipient's e-mail software should alert the recipient that the document has been tampered with.
Agencies must require executables to be signed so their pedigree can be validated. This would let recipients know that the entertainment had a legitimate and verifiable source. Only the viewer's time, and not the agency network or data, would be wasted.
A related solution is IP Version 6. The IPv6 upgrade to the Internet would give resources and owners their own private and public keys. Computers and routers would have key pairs just like people. Their packets would be signed, even encrypted, to thwart man-in-the-middle and denial-of-service attacks. Domain name servers could not be updated with bogus addresses because the digital signatures would not match.
Effective security will cost money, but failure to act will cost much more. Melissa and ILOVEYOU are wake-up calls that agencies must heed.Walter R. Houser, who has more than two decades of experience in federal information management, is webmaster for a Cabinet agency. His personal Web home page is at www.cpcug.org/user/houser.